[PDF] Vulnerability Assessment and Secure Coding Practices for Middleware

View - Download Vulnerability Assessment and Secure Coding Practices for Middleware

Previous PDF

Next PDF

1

Vulnerability Assessment and

Secure Coding Practices

for Middleware

Part 2

James A. Kupsch

Computer Sciences Department

University of Wisconsin

© 2007-2008, James A. Kupsch. All rights reserved. 2

Part 2 Roadmap

•Part 1: Vulnerability assessment process •Part 2: Secure coding practices -Introduction -Handling errors -Numeric parsing -ISO/IEC 24731 intro -Variadic functions -Buffer overflows -Injections -Directory traversal -Integer -Race conditions -File system issues -Canonical form -Privileges -Command line -Environment -Denial of service -Information leaks -Memory allocators -General engineering -Compiler warnings 3

Vulnerability Types

•Description of vulnerability •Signs of presence in the code •Mitigations •Safer alternatives 4

Handling Errors

•If a call can fail, always check the status •When an error is detected -Handle locally and continue -Cleanup and propagate the error -Exit the application •All APIs you use, or develop, that can fail need to be able to report errors to the caller •Using exceptions makes it harder to ignore 5

Numeric Parsing

No Error Indication

•atoi, atol, atof, scanf family (with %u, %i, %d, %x and %o specifiers) -Out of range values results in unspecified behavior -Non-numeric input results in 0 -Use strtol, strtoul, strtoll, strtoull, strtof, strtod, strtold which provide an error indication 6

Correct Numeric Parsing

char *endptr; long longVal; errno = 0; longVal = strtol(s, &endptr, 10); if (errno == ERANGE) {ERROR("overflow");} if (errno != 0) {ERROR("other error");} if (endptr == 0) {ERROR("non-numeric");} if (*endptr != '\0') {ERROR("non-numeric at end");} if (isspace(*s)) {ERROR("space at beginning");} 7

Correct Numeric Parsing in C++

•iostream inserter's -Type safe -All errors set stream to failed (test with !is) -Use istringstream to parse a string istringstream is("123 87.32"); is >> i >> f; if (!is) {ERROR("parse error"); •Boost's lexical_cast(s) -http://www.boost.org -Throw's bad_lexical_cast exception on failure 8

Not enough information to

report an error •strcat, strcpy, strncat, strncpy, gets, getpass, getwd, scanf (with %s or %[...], without width specified) -Unable to report an error if buffer would overflow as it does not have enough information -Only secure in rare case where files or strings are verified for secure values before use -Never use these 9

ISO/IEC 24731

Extensions for the C library:

Part 1, Bounds Checking Interface

•Functions to make the C library safer •Meant to easily replace existing library calls with little or no other changes •Easy to check errors •Very few unspecified behaviors •All updated buffers require a size 10

ISO/IEC 24731:

Run-time Constraints

•A run-time constraint is a property of the arguments that must be true at call time •A violation is handled by callback •Set with set_constraint_handler_s •Default is abort_handler_s •Violations not allowed affect program •ignore_handler_s •Allows detection and handling of violations locally •Define your own callback 11

ISO/IEC 24731:

Common Run-time Constraints

•rsize_t parameter type used to indicate the size of the buffer or amount to copy -Violation if size > RSIZE_MAX -Catches large size caused by integer overflow •Buffer pointers -Violation if NULL •dst buffer too small for operation -Usually a violation (snprintf truncates) 12

ISO/IEC 24731:

gets_s •gets_s(buf, bufSize) •Like fgets(buf, bufSize, stdin), except new-line removed •Run-time constraint failure if new-line is not found in bufSize characters •If error -Null-terminates buf -Reads complete line and discards instead of returning partial line like fgets 13

Variadic Functions

•C functions that can take a variable number of parameters •Not type safe -Types and number know from format string or implicit and sentinel values are used •Signs: va_list va_start va_arg va_end •Common variadic functions -printf, scanf, syslog families -execl family -open with O_CREAT (3rd argument is the mode) 14

Variadic Function Safety

•printf, scanf, syslog families -Never take the format string from the user -Use compile time constants for the format string -Turn on compile time warning to check arguments against the format string -Use C++ iostreams •Check all calls to open with O_CREAT includes the 3rd argument for the mode 15

Buffer Overflows

•Description -Accessing locations of a buffer outside the boundaries of the buffer •Common causes -C-style strings -Array access and pointer arithmetic in languages without bounds checking -Off by one errors -Fixed large buffer sizes (make it big and hope) -Decoupled buffer pointer and its size •If not together overflows are impossible to detect •Require synchronization between the two •Ok if size is implicitly known and every use knows it (hard) 16

Why Buffer Overflows

are Dangerous •An overflow overwrites memory adjacent to a buffer •This memory could be -Unused -Program data that can affect operations -Internal data used by the runtime system •Usual sign is a crash •Specially crafted values can be used for an attack 17

Buffer Overflow of User Data

Affecting Flow of Control

char id[8]; int validId = 0; /* not valid */ gets(id); /* reads "evilguyxy"*/ /* validId is now 121 decimal */ if (IsValid(id)) validId = 1; if (validId) {DoPrivilegedOp();} /* runs */ \0\0\0 x79 y xyuglive idlogFunc \0\0\0\0 idlogFunc 18

Pointer Attacks

•First, overwrite a pointer -In the code -In the run-time environment •Heap attacks use the pointers usually at the beginning and end of blocks of memory •Second, cause the pointer to be used -Read user controlled data that causes a security violation -Write user controlled data that later causes a security violation 19

Stack Smashing

•This is a buffer overflow of a variable local to a function that corrupts the internal state of the run-time system •Target of the attack is the value on the stack to jump to when the function completes •Can result in arbitrary code being executed •Not trivial, but not impossible either 20

Attacks on Code Pointers

•Stack Smashing is an example •There are many more pointers to functions or addresses in code -Dispatch tables for libraries -Function pointers in code -C++ vtables -jmp_buf -atexit -Exception handling run-time -Internal heap run-time data structures 21

Buffer Overflow of a

User Pointer

char id[8]; int (*logFunc)(char*) = MyLogger; gets(id); /* reads "evilguyx "*/ /* equivalent to system(userMsg) */ logFunc(userMsg); xyuglive idlogFunc idlogFunc

Ptr to MyLogger

Ptr to system

Ptr to system

22

C-style String Design Flaws

•Null terminated array of characters •Represented by a pointer to this array •Not a proper type, just a convention •Only language support is string literals -Initialize a char array -Create array containing a constant string literal •Problems -Null may be missing -Pointers are difficult to use correctly -Size of buffer is kept externally from pointer if at all -Many common operations are expensive -Can't have a string with a null in it 23

C-style String Example

char u[4] = "cows"; char t[] = "dog"; char *s = "cat"; \0godswoc \0tac s ut string store stack 24

Buffer Overflow Danger Signs:

Missing Buffer Size

•gets, getpass, getwd, and scanf family (with %s or %[...] specifiers without width) -Impossible to use correctly: size comes solely from user input -Alternatives scanf("%100s", s)scanf("%s", s) getwd(s, sLen)getcwd(s) fgets(s, sLen, stdin)gets(s)

SafeUnsafe

25
strcat, strcpy, sprintf, vsprintf -Destination buffer size not passed •Impossible for function to detect overflow -Difficult to use safely w/o preflight checks •Checks require destination buffer size •Length of data formatted by printf •Difficult & error prone •Best incorporated in the function

If (dstSize < strlen(s1) + strlen(s2) + 1)

{ERROR("buffer overflow");} strcpy(dst, s1); strcat(dst, s2);

Proper usage: concat s1, s2 into dst

26

Buffer Overflow Danger Signs:

Difficult to Use and Truncation

•strncat(dst, src, n) -n is the maximum number of chars of src to append (trailing null also appended), implying n must be (dstSize - strlen(dst) - 1) or less •strncpy(dst, src, n) -Writes n chars into dst, if strlen(src) < n, it fills the other n - strlen(src) chars with 0's -If strlen(src) >= n, dst is not null terminated •Neither allows truncation detection directly from result 27

Proper Usage of strncat and

strncpy •Requires essentially the same check as before •Checks are inefficient, but required curDstSize = dstSize; strncpy(dst, s1, curDstSize); curDstSize -= strlen(s1); strncat(dst, s2, curDstSize); curDstSize -= strlen(s2);

If (curDstSize < 1)

{ERROR("truncation");}

Proper usage: concat s1, s2 into dst

28

Buffer Overflow Danger Signs:

scanf family •Max field can not be taken from an argument - * width suppresses assignment •%nc does not null terminate •%ns and %n[...] require a buffer of size n+1 •Requires manual coordination of format string, number and types of arguments, and result

Example: 3 items must be coordinated

char big[100], small[10]; int r, j; r = scanf("%99s %9s %d", big, small, &j);

If (r == EOF) ERROR("EOF")

If (r != 3) ERROR("bad line");

29

Unterminated String: readlink

•readlink(path, buf, bufSize) •Reads symbolic link referent •Does not null terminate •Returns number of characters written to buf or -1 on error r = readlink(path, buf, bufSize);

If (r == -1) {ERROR("error in errno");}

If (r == bufSize) {ERROR("referent truncated");}

buf[r] = '\0';

Proper usage: readlink

30

Buffer Overflow Mitigations

•snprintf(buf, bufSize, fmt, ...) and vsnprintf -Truncation detection possible (result >= bufSize implies truncation) -Can be used as a safer version of strcpy and strcat -Officially doesn't exist until C99 standard r = snprintf(dst, dstSize, "%s%s",s1, s2);

If (r >= dstSize)

{ERROR("truncation");}

Proper usage: concat s1, s2 into dst

31

Safer String Handling:

BSD's strlcpy and strlcat

•strlcpy(dst, src, size) and strlcat(dst, src, size) -size is always the size of the dst buffer -Returns number of chars required -result >= size indicates truncation -dst always null terminated, except strlcat where dst is not terminated -Can read outside src if not null-terminated -Not universally implemented (not in linux) 32

Safer String Handling:

BSD's strlcpy and strlcat

/* safe to just check errors at last call */ (void)strlcpy(dst, s1, dstSize); r = strlcat(dst, s2, dstSize) if (r >= dstSize) { if (r == dstSize && dst[r] != '\0') { /* this should not happen as strlcpy will always terminate */

ERROR("unterminated dst");

} else {

ERROR("truncation");

Proper usage: concat s1, s2 into dst

33

ISO/IEC 24731:

string and memory functions •strcpy_sstrncpy_smemcpy_s strcat_sstrncat_smemmove_s •Like standard counterpart, except all include an additional parameter for the length of the destination buffer •Run-time constraint failure if destination •If error -Null-terminates destination buffer, null fills buffer for mem functions 34

ISO/IEC 24731:

string and memory functions •Very easy to convert typical unsafe codequotesdbs_dbs21.pdfusesText_27

[PDF] for matlab kya hota hai

[PDF] force attraction gravitationnelle terre lune

[PDF] force de gravitation universelle formule

[PDF] force et mouvement dans le sport

[PDF] force gravitationnelle terre lune en newton

[PDF] foreign characters on mac keyboard

[PDF] foreign language classes boston

[PDF] foreign language course in manila

[PDF] foreign language course in trinidad

[PDF] foreign language degree florida

[PDF] foreign language education in european countries

[PDF] foreign language learning uk statistics

[PDF] foreign language trivia questions and answers

[PDF] foreign tax identifying number china

[PDF] forfait free 8.99 étranger